This infographic completes our bank smishing attacks overview, going into further detail and representing the scale of these attacks with a map visualization

Click on the image below for fullscreen view

Apple recently introduced the world to its upcoming operating system update, with some major changes in both appearance and functionality. It was announced at the company's 2013 Worldwide Developers Conference in San Francisco on June 10, and is scheduled for release in Fall 2013. CEO Tim Cook has called it the "biggest change to iOS since the introduction of the iPhone" which launched in the summer of 2007.

One of the new features we are really looking forward to is the ability to block any unwanted numbers from contacting you.

Last year Apple added a Do Not Disturb feature to prevent iPhones, iPads, and iPods using iOS 6 from buzzing, beeping or causing any disturbances when we were trying to sleep, relax or enjoy some gadget-free time. However, its usefulness was very limited in that it wasn't possible to tailor your preferences for specific contacts.

With iOS 7, Apple is adding a built-in call blocking option for the first time on iPhone. Rather than using external App downloads you can now block calls, messages and face-time from any phone number in a few quick and easy steps, right on the OS interface. This is a feature many have been requesting for a long time and is sure to make a whole bunch of people happy.

We’ve all encountered it before, whether it’s a former partner  that won’t let go, a relentless barrage of telemarketing calls or an infuriating influx of unsolicited spam messages at all hours of the day. For those who decided not to opt for unlimited price plans with their operators it can also become a financial burden, having to pay for each message / call received. Of course this feature has been available to cell phone users for a number of years through a variety of services, but it is good to see Apple now tackling this directly. Although this won't successfully block typical spammers that we deal with on a daily basis here at AdaptiveMobile, it will help address personal issues such as unwanted advertising campaigns and text bomb attacks. Plus it will allow another way for people to help deal with spam, which is always a good thing.

Apple hasn't mentioned the new blocking feature on their website yet, but Apple senior vice-president of software, Craig Federighi emphasized it at the end of his iOS 7 segment at WWDC 2013 and I'm sure more details will be available in the coming weeks. Only time will tell how well the blocking system works for everyday users, for example hopefully the app won't just block the message being displayed, meaning the spam reciever may still end up paying for the spam. However, it will be a good feature to have at your disposal and test out when it finally ships in September.

Over the last weekend (14th Sep.), we have seen the SpamSoldier malware come alive again. SpamSoldier is a type of mobile malware that turns your phone into a botnet that sends text message spam. How it works is it pretends as a game app, i.e. Angry Birds, Need For Speed, GTA, Minecraft. After install, it tries to install the actual game APK file packed inside, but meanwhile it does malicious activity in the background. This malicious activity includes sending thousands of spam messages that attempt to spread the malware.

We saw some testing in early September, but the infection went live with several new C&C servers being used a few days ago. The spam it sends so far is of the following format:

Android Gamers Download free full versions of Minecraft, Grand Theft Auto and Need for Speed at www.[MALICOUS DOMAIN]biz.cc
Download the Newest version of Angry Birds for Android phones for free at hxxp://[MALICOUS DOMAIN]gg.biz
The Newest version of Angry Birds for Android phones is Available free at hxxp://[MALICOUS DOMAIN]biz.cc

Clicking on these takes you to this

Apart from several new C&C servers that have been used in the new samples, there isn’t anything new in the code. Like the SpamSoldier outbreak from 2012, the malware periodically queries a C&C server, downloading a spam message template and a list of recipient numbers. The infected device then sends the spam message to the list of recipient numbers.

During their testing in early September, we found several APKs hosted on the site. However none of them was working due to the C&C server not being correctly setup, but the evidence pointed to a new potential campaign.

Since then, we have been monitoring their activity. We believe the spammer seems to be trying to reuse the old SpamSoldier code. However, based on the samples we have seen, it seemed the spammers were struggling with repackaging the malware, and setting up the C&C server. None of the C&C servers were able to deliver instructions.

Around 15th, we saw a C&C server go live and the start of SpamSoldier related spam activity in our customers, this spam contains a link to the malware. There have been only a few URLs hosting the malware used in this campaign so far, but all sites have been recently updated, hosting a fake AngryBirds app on site, plus each sample uses a different C&C server.

Different from the last campaign, where the spammer used the network to send large amount of spam, this time we believe it’s still in a heavily promoting stage, the spammer still seems like they are trying to build the network at the moment. We have also seen indications that they are attampting to send the spam from email to sms and so not just from mobile devices. However due to the early monitoring and blocking that we have put into place in our customers, and talking with our industry partners, so far we haven’t seen heavy spam traffic due to the malware, but we will continue to monitor.

Note: Samples currently active(MD5 hash):
156b7b5f84544d5a867b0b527d0fc660
9e1719a4cbc44823734071602e2425b2

Many of the large SMS spam attacks we see at AdaptiveMobile attempt to cover as much ground as they can before being shut down. For example the US bank smsishing attacks we looked at in previous blog entries targeted 200+ different area codes. However there are some notable exceptions, and high volume attacks on individual locations are becoming increasingly common. In GSIM 8 we analyse the behaviuor of JunkCar messages and the ruthless sending pattern that distributes thousands of messages within the Miami area to 305 and 786 numbers.

In a similar fashion, the map below shows a Canadian adult dating spam attack that we have been tracking over a five day period from the 17th - 21st of August. What's interesting about this is that it seems to be focused almost entirely on the Canadian province of Saskatchewan with 80,000 of the 90,000 messages being sent to locations within the province and the remaining 10,000 were destined for the city of Winnipeg in the neighbouring province, Manitoba.

We found that many of the messages were personalised but standard messages were also present (see examples below)

"Here's the crazy casuals site I told you about at work Jon, [REDACTED] - I got lots of action last week, easier than POF for getting women :p"

"Spencer here's that casuals website I told u I got loads of play on, [REDACTED] - Easier than bars, you'll do well on it. Still need a ride later?"

"Victor here's that casuals website I told u I got loads of play on, [REDACTED]- Easier than bars, you'll do well on it. Still need a ride later?"

The other obvious interesting fact about this spam is that it is not being sent to almost all of the other provinces, not even the nearby towns across the border in Alberta. In this case what seems to be happening is that the spammers have decided to focus on one area for a particular length of time with adult campaign type messages. Purely speculating, this may be due to Saskatchewan's oil-based booming economy and population influx, which is seeing some towns having double-digit population growth. However this does not mean spammers won’t change the target destination in the future. The fact that Winnipeg, Manitoba has received a low amount of spam could suggest that they are testing this area prior to moving. With this in mind it is wise to assume that this attack won't stay confined to Saskatchewan and could eventually target any part of Canada. As always stay vigilant when it comes to spam and talk to your operator about how they can keep your phone safe.

The scheme itself is not new but such types of scam are usually not spread via SMS.

Typical website

Details

The scheme works by people going to several websites, signing up and receiving an account with unique URL containing new user’s name. If another person is redirected to this URL and registers on this pyramid website using this URL, then the user ‘receives $5’. However there is no way to claim this money.

Referral link and no non-existing ‘withdraw’ links

It is classic pyramid scheme. In fact, even clicking on the website yourself once you sign up for an account increases your money by $5. Once people create their 'account' then then try to spread it by typing the website into Facebook, Twitter and SMS messages and forwarding it on to different people. Some of the examples are below:

http:// [removed].com/?id=[removed] go to this link for more info..
 

[removed].com/?id=annyylondono go make money
 

http:// [removed].com/?id=[removed]  click on this for me and sign up please karrie
 

Click on this http:// [removed].com/?userid=[removed]
 

Click this link so i can get me some money  http:// [removed].com/?id=[removed]
 

http:// [removed].com/?id=[removed] Hey. Click that link for me! Help me out! No joke. I'd appreciate it!(:"

In addition these pyramid websites contain advertisement URLs leading to InstallBrain adware which pretends to be yet another codec ‘for better performance’.

At this point, we believe the main aims of this scam are generating traffic for advertising and secondary spreading of unwanted applications and information harvesting. Unfortunately this is not the first or last campaign of this type and we remind people to stay away from such ‘profitable’ suggestions on the Internet regardless of the source of the information.

Apple recently introduced the world to its upcoming operating system update, with some major changes in both appearance and functionality. It was announced at the company's 2013 Worldwide Developers Conference in San Francisco on June 10, and is scheduled for release in Fall 2013. CEO Tim Cook has called it the "biggest change to iOS since the introduction of the iPhone" which launched in the summer of 2007.

One of the new features we are really looking forward to is the ability to block any unwanted numbers from contacting you.

Last year Apple added a Do Not Disturb feature to prevent iPhones, iPads, and iPods using iOS 6 from buzzing, beeping or causing any disturbances when we were trying to sleep, relax or enjoy some gadget-free time. However, its usefulness was very limited in that it wasn't possible to tailor your preferences for specific contacts.

With iOS 7, Apple is adding a built-in call blocking option for the first time on iPhone. Rather than using external App downloads you can now block calls, messages and face-time from any phone number in a few quick and easy steps, right on the OS interface. This is a feature many have been requesting for a long time and is sure to make a whole bunch of people happy.

We’ve all encountered it before, whether it’s a former partner  that won’t let go, a relentless barrage of telemarketing calls or an infuriating influx of unsolicited spam messages at all hours of the day. For those who decided not to opt for unlimited price plans with their operators it can also become a financial burden, having to pay for each message / call received. Of course this feature has been available to cell phone users for a number of years through a variety of services, but it is good to see Apple now tackling this directly. Although this won't successfully block typical spammers that we deal with on a daily basis here at AdaptiveMobile, it will help address personal issues such as unwanted advertising campaigns and text bomb attacks. Plus it will allow another way for people to help deal with spam, which is always a good thing.

Apple hasn't mentioned the new blocking feature on their website yet, but Apple senior vice-president of software, Craig Federighi emphasized it at the end of his iOS 7 segment at WWDC 2013 and I'm sure more details will be available in the coming weeks. Only time will tell how well the blocking system works for everyday users, for example hopefully the app won't just block the message being displayed, meaning the spam reciever may still end up paying for the spam. However, it will be a good feature to have at your disposal and test out when it finally ships in September.

Over the last weekend (14th Sep.), we have seen the SpamSoldier malware come alive again. SpamSoldier is a type of mobile malware that turns your phone into a botnet that sends text message spam. How it works is it pretends as a game app, i.e. Angry Birds, Need For Speed, GTA, Minecraft. After install, it tries to install the actual game APK file packed inside, but meanwhile it does malicious activity in the background. This malicious activity includes sending thousands of spam messages that attempt to spread the malware.

We saw some testing in early September, but the infection went live with several new C&C servers being used a few days ago. The spam it sends so far is of the following format:

Android Gamers Download free full versions of Minecraft, Grand Theft Auto and Need for Speed at www.[MALICOUS DOMAIN]biz.cc
Download the Newest version of Angry Birds for Android phones for free at hxxp://[MALICOUS DOMAIN]gg.biz
The Newest version of Angry Birds for Android phones is Available free at hxxp://[MALICOUS DOMAIN]biz.cc

Clicking on these takes you to this

Apart from several new C&C servers that have been used in the new samples, there isn’t anything new in the code. Like the SpamSoldier outbreak from 2012, the malware periodically queries a C&C server, downloading a spam message template and a list of recipient numbers. The infected device then sends the spam message to the list of recipient numbers.

During their testing in early September, we found several APKs hosted on the site. However none of them was working due to the C&C server not being correctly setup, but the evidence pointed to a new potential campaign.

Since then, we have been monitoring their activity. We believe the spammer seems to be trying to reuse the old SpamSoldier code. However, based on the samples we have seen, it seemed the spammers were struggling with repackaging the malware, and setting up the C&C server. None of the C&C servers were able to deliver instructions.

Around 15th, we saw a C&C server go live and the start of SpamSoldier related spam activity in our customers, this spam contains a link to the malware. There have been only a few URLs hosting the malware used in this campaign so far, but all sites have been recently updated, hosting a fake AngryBirds app on site, plus each sample uses a different C&C server.

Different from the last campaign, where the spammer used the network to send large amount of spam, this time we believe it’s still in a heavily promoting stage, the spammer still seems like they are trying to build the network at the moment. We have also seen indications that they are attampting to send the spam from email to sms and so not just from mobile devices. However due to the early monitoring and blocking that we have put into place in our customers, and talking with our industry partners, so far we haven’t seen heavy spam traffic due to the malware, but we will continue to monitor.

Note: Samples currently active(MD5 hash):
156b7b5f84544d5a867b0b527d0fc660
9e1719a4cbc44823734071602e2425b2

Many of the large SMS spam attacks we see at AdaptiveMobile attempt to cover as much ground as they can before being shut down. For example the US bank smsishing attacks we looked at in previous blog entries targeted 200+ different area codes. However there are some notable exceptions, and high volume attacks on individual locations are becoming increasingly common. In GSIM 8 we analyse the behaviuor of JunkCar messages and the ruthless sending pattern that distributes thousands of messages within the Miami area to 305 and 786 numbers.

In a similar fashion, the map below shows a Canadian adult dating spam attack that we have been tracking over a five day period from the 17th - 21st of August. What's interesting about this is that it seems to be focused almost entirely on the Canadian province of Saskatchewan with 80,000 of the 90,000 messages being sent to locations within the province and the remaining 10,000 were destined for the city of Winnipeg in the neighbouring province, Manitoba.

We found that many of the messages were personalised but standard messages were also present (see examples below)

"Here's the crazy casuals site I told you about at work Jon, [REDACTED] - I got lots of action last week, easier than POF for getting women :p"

"Spencer here's that casuals website I told u I got loads of play on, [REDACTED] - Easier than bars, you'll do well on it. Still need a ride later?"

"Victor here's that casuals website I told u I got loads of play on, [REDACTED]- Easier than bars, you'll do well on it. Still need a ride later?"

The other obvious interesting fact about this spam is that it is not being sent to almost all of the other provinces, not even the nearby towns across the border in Alberta. In this case what seems to be happening is that the spammers have decided to focus on one area for a particular length of time with adult campaign type messages. Purely speculating, this may be due to Saskatchewan's oil-based booming economy and population influx, which is seeing some towns having double-digit population growth. However this does not mean spammers won’t change the target destination in the future. The fact that Winnipeg, Manitoba has received a low amount of spam could suggest that they are testing this area prior to moving. With this in mind it is wise to assume that this attack won't stay confined to Saskatchewan and could eventually target any part of Canada. As always stay vigilant when it comes to spam and talk to your operator about how they can keep your phone safe.

The scheme itself is not new but such types of scam are usually not spread via SMS.

Typical website

Details

The scheme works by people going to several websites, signing up and receiving an account with unique URL containing new user’s name. If another person is redirected to this URL and registers on this pyramid website using this URL, then the user ‘receives $5’. However there is no way to claim this money.

Referral link and no non-existing ‘withdraw’ links

It is classic pyramid scheme. In fact, even clicking on the website yourself once you sign up for an account increases your money by $5. Once people create their 'account' then then try to spread it by typing the website into Facebook, Twitter and SMS messages and forwarding it on to different people. Some of the examples are below:

http:// [removed].com/?id=[removed] go to this link for more info..
 

[removed].com/?id=annyylondono go make money
 

http:// [removed].com/?id=[removed]  click on this for me and sign up please karrie
 

Click on this http:// [removed].com/?userid=[removed]
 

Click this link so i can get me some money  http:// [removed].com/?id=[removed]
 

http:// [removed].com/?id=[removed] Hey. Click that link for me! Help me out! No joke. I'd appreciate it!(:"

In addition these pyramid websites contain advertisement URLs leading to InstallBrain adware which pretends to be yet another codec ‘for better performance’.

At this point, we believe the main aims of this scam are generating traffic for advertising and secondary spreading of unwanted applications and information harvesting. Unfortunately this is not the first or last campaign of this type and we remind people to stay away from such ‘profitable’ suggestions on the Internet regardless of the source of the information.

A map is an incredible concept, if you consider it. A visualization that tells you in one glance the shape of things relative to what lies around them. No other image can give that much information.

I thought about this while we were trying to make sense of the flood of text messaging spam data we work with. Mobile spam can be a difficult subject to explain and put into context, like many areas of cyber-security there has been a huge element of uncertainty of what the real threat is, and this leads to unrealistic numbers being used by those who don’t have access to the true data. At the same time, we've become aware that there is a sea-change happening within the mobile spam environment in North America. As our defenses are getting better, spammers are switching from sending with phones from the 'traditional' mobile operators, to sending spam from VoIP operators. I debated how best to communicate this. The maxim: "If you're explaining, you're losing" was on my mind - I needed visuals. But while stats and bar-charts are good, I felt they didn't give the full story.

The inspiration came while researching a recent Canadian spam attack. Here it seemed clear that the spammers had not just selected random areas; they had focused on a specific province, and more to the point, specific towns within it. They were able to do this because they knew what mobile phone numbers from those towns should look like. Unlike most countries who have dedicated telephone codes for mobile, the United States (& Canada) are some of the few countries in the world that have geographic numbering for mobile phones. As members of NANPA – the North American Numbering Plan - they assign numbers for mobiles based on where they are registered, or exchanges. This registration is indicated by the first six digits of a phone number, where the first three digits is the area code (NPA), and the next three is the exchange code (NXX). This NPA-NXX is obviously not the true location, someone could buy a phone in New York, and use it anywhere in the US, (or the world for that matter) but it does allow a means for spammers to target certain areas they want to spam.

I had been working on visualizations in other areas, and then it dawned to me that this pseudo-location information could be used to visualize spam activity within North America in a way that hadn’t be done before. With this I set to work.

Map of NPA-NXX Exchange Database for US, Canada, Puerto Rico & US Virgin Islands. One dot equals one exchange

First off, I needed to have the physical locations of the exchange codes. This was the most difficult part, the US & Canadian NANPA codes themselves are freely available, though they can be hard to find. However, while there are some free sources of exchange codes and latitude/longitude available I found several locations and codes in them inaccurate or out of date. Cue many, many days of trying to reconcile the data together from several different sources, and for new NPA-NXXs to be geo-located. After many frustrating iterations and sanity checking I eventually created a robust NPA-NXX database which contained US, Canadian & Puerto Rican/Virgin Islands exchanges. I didn't expand further to cover the other, mostly Caribbean, NANPA countries as even though they are in NANPA, many of them don't allocate mobiles geographically to any degree.

Next for the input data & algorthim; I used random samples from September and October of spam messages that had been blocked. I normally used sets of 1 Million spam 'events' for the visuals, although in one case I used more. These events consisted of anonymized, sender/receiver NPA-NXX pairs. The actual code for the visualization itself was done in python, and is basically a variant of the Great Circle Maps python code by Paul Butler, based on the R code he wrote to create the fantastic Facebook relationship map. Without this the visuals would never have been possible. The reason I used this is that I loved the idea of generating the visuals from activity only, with no underlying map or background - the United States’ population on both coasts allows this - plus it looked cool.

Original visualization of VoIP Carrier Spam - same colour for source and destination

One modification I did do was to show the source and destination differently. I tried a few different methods, but eventually settled on varying the brightness of each great circle segment of the message path, with the brighter end representing the destination. I did this as unlike the Facebook map, where connections have the same meaning for both participants, spam messages clearly don’t. I also ran some early experiments on Nathan Yau's excellent tutorial and code for the R equivalent, but R’s rendering performance I found much slower on the systems I ran them on. Finally, combining the spam data, the locations and the algorithm allowed me to produce the visuals released today.

These visuals show a wealth of stories in the war on mobile spam - who are the main targets, where it is coming from and so on. Inspired by another great FlowingData tutorial, I also used the data to provide the spam per US counties map - I did this by assigning the exchanges to county and mapping all ~10 million spam messages we detected and blocked during the two month period. For the first time, this give a real, quantitative view of what is happening within the United States, and I hope to release more analysis from this set as time goes on. While this analysis is interesting, I was pleased that I could also show visually the changes that are happening in mobile spam. As mentioned earlier, we know spammers are moving away from wireless carriers (the traditional big telcos we all know), due to improvements in defenses, and moving to send from VoIP carriers. While spam from Wireless operators looks like it originates from only a few key points, spam from VoIP carriers look like it comes from everywhere. This is because if you sign up for an account from a VoIP carrier, you can decide then and there what area code/area you want to use, this means North America seems to ‘glow’ with VoIP carrier spam.

This isn’t the first time that messaging and calls has been visualized (AT&T, IBM & MIT did a very interesting one a few years ago, which uses ‘true’ location information) but what we've released is the first visualization of mobile spam patterns. I hope you find them interesting, and I leave you with a high-res version of possibly my favourite image, a Californian originated 'pump and dump' spam attack, that attempted to storm across the continent in September. With this improved intelligence, we can all better marshal our defences.

View High-Res version of California Pump'n'Dump Spam (Warning - 3.6MB)

I attended Blackhat just over a week ago and have only now caught up with a huge backlog I left myself. It was my first time at this event, so I was interested to see what it had to offer. In the past there hasn’t been a huge amount of mobile material, one of the reasons i'd somehow missed this, but it was good to see the number of mobile related presentations at this event.

A few things struck me:

The Good: Some of the presentations I found very interesting, not just the exploits themselves, but the way that they were found, and what had happened afterwards. The Android root key exploit (actually exploits) from Jeff Forristal at Bluebox and the Fake CDMA Femtocell  exploit given by Doug DePerry & Tom Ritter at iSEC partners were pretty illuminating, but also for the sheer amount of work that some of these exploits took. The various M2M/SCADA exploit presentations were also good, this is something we’ve covered on the mobile side before and I expect to see more and more of. And whilst avoiding the swag-collecting hordes in the sponsor hall I had a lot of useful conversations with the various companies there.

The Bad: 9am starts in Las Vegas. Hard. And presentations getting moved or cancelled

The Mobile: Most of the mobile orientated presentations were coming at mobile security from a device viewpoint. While this makes sense as most researchers work with device OS’s and exploits on the handset, I would have liked to see more mobile network orientated research, and the LTE Security presentation from Ankit Gupta presentation didnt happen (why?). Hopefully next time they'll be more.

Finally, having all the different security talks in the same building meant the chance to find some hidden gold elsewhere. On a whim I jumped out of the presentation I was in and attended the Power Analysis Attacks presentation by Colin O'Flynn. While completely different to what I normally work with I found myself thinking of ways to apply the principle outlined for a type of network-based mobile threat detection. Who knows if it'll pan out and be usable, but for a few minutes more it was worth it. 

What is Bazuc and what is it doing?

According to the website of developers of this application Bazuc is ‘a free Android app that will allow you to earn extra money every day by selling us your SMS / Text Message credits that come with your monthly phone plan.’ There’s no secret that many mobile subscribers have prepaid (or even unlimited) number of SMS messages which can be sent from device. And some people don’t use all SMS messages each month. That is why Bazuc developers offer them a small amount of money per each message which will be sent from their device. Users only need to install a Bazuc application. Developers promise to pay $0.001 per each SMS sent from user’s Android device. Sounds like a good deal, right?

Bazuc application

What is it doing actually?

The answer to this question is: Bazuc turns your device to an SMS sending bot - its sends sms messages from advertisers to destinations around the world. And that is not good for a person who installed this application for a few reasons. First, normally the user's unlimited messaging does not include unlimited international messaging, which is the main target of these Bazuc apps. So even if you are being paid $0.001 per message, you could be shelling out $0.50 per message to your operator to text countries around the world, running up huge bills for the person who owns the phone. Also, in many cases the advertising sms being sent would be classified as spam, meaning in the worst case scenario the mobile operator will disable you mobile phone number because of the large amount of SMS spam messages being sent from your device.

How is Bazuc doing it?

Upon installation, the app sends an SMS from the device to itself. This verifies that the app (and the device) has capability to send SMS. The text of the message is the following:

BAZUC Phone Number Validation

Upon successful receipt of the message, the app then sends a registration HTTP request which contains the device phone number, country code and whether the user has given permission to send to international destinations. As a response Bazuc receives a hashed registration key back from the server. Then the app then replies with this hashed registration key (confirming receipt). After that it sends the configured daily and monthly message sending limits. The default configuration values are:

Daily 3,000 SMS
Monthly 30,000 SMS

The server sends a confirmation response and Bazuc then starts to receive candidate messages, and immediately sends these on.

Do you have any details on Bazuc network communications?

Yes, we do. Bazuc works with the following C&C: 192.241.***.***

Registration.

- Bazuc sends local phone number, MCC and whether accept sending to international or not in the following format:

http://192.241.***.***/registration?phone_number=[removed]&country_code=+1&international=true

- Servers issues a registration key which may look like this:

b9147e3ea66764******************

- Bazuc app confirms this key in the following format:

http://192.241.***.***/sms_sent_count?reg_key=b9147e3ea66764******************

- As a response server initializes count in order to calculate a payment.

- After that client uploads configuration which contains limits for sending SMS messages and account for payment in the following format:

http://192.241.***.***/user_limit?reg_key=b9147e3ea66764******************&dayLimit=3000&monthLimit=30000&paypal=victim@randomserver.com

​Sending SMS messages.

- Bazuc sends a request to C&C int the following format:

http://192.241.***.***/jobs?reg_key=b9147e3ea66764******************

- Server responds with ‘NA’ if there’s no job and if there is a job then the response will contain the following data which is going to be processed by Bazuc application:

"id":632724,"recepient":"+4475********","message":"Hi Jadr your loan app of 1000 for Personal Use has been conditionally approved. Please call 087********. Ref F********","timeStamp":1383xxxxxxxxx,"reg_key":"","status":1,"last_updated":"","user_id":"","error":"","valid":true}

- Bazuc sends this messages and sends the a confirmation back to C&C http://192.241.***.***/job_status?reg_key=b9147e3ea66764******************&status=4&job_id=632723&error=na and increments a count for a calculation.

Geography and content

Bazuc sends SMS messages with different content to different phone numbers in many countries. Here is the diagram which shows out of a sample of 54 the most popular destination countries for messages sent by Bazuc.

Most popular SMS destinations

The content of these messages may vary from country to country. We’ve seen a lot of messages containing everything from spam payday loan offers sent to UK numbers, to Russian language advertisements sent to Ukrainian numbers.

Bazuc application was available on Google Play but has been removed. It was downloaded approximately 10 thousand times before taken down.

Why should not install it? It helps me to earn money!

Bazuc won’t help you to earn a lot of money, in fact it could cost you tens of thousands of dollars, euros or pounds and cause your phone to be disconnected. If something is too good to be true, it normally is.

Authors: Denis Maslennikov, Security Analyst; Yicheng Zhou, Security Analyst

Clarification - 13/12/13: The analysis below focused on the Bazuc PRO + International version (v2.3), which was active and present on Google Play in late October/early November 2013. Bazuc PRO + International version (v2.3) enabled users to allow international-sending of SMS if they so consented by clicking within the App in the configuration page during registration. Since then Bazuc has released new versions which makes it more difficult to allow the sending of international destined SMS (users must email Bazuc to enable it) and whose main focus is to enable the sending of SMS nationally.

What is Bazuc and what is it doing?

According to the website of developers of this application Bazuc is ‘a free Android app that will allow you to earn extra money every day by selling us your SMS / Text Message credits that come with your monthly phone plan.’ There’s no secret that many mobile subscribers have prepaid (or even unlimited) number of SMS messages which can be sent from device. And some people don’t use all SMS messages each month. That is why Bazuc developers offer them a small amount of money per each message which will be sent from their device. Users only need to install a Bazuc application. Developers promise to pay $0.001 per each SMS sent from user’s Android device. Sounds like a good deal, right?

Bazuc application

What is it doing actually?

The answer to this question is: Bazuc turns your device to an SMS sending bot - its sends sms messages from advertisers to destinations around the world. And that is not good for a person who installed this application for a few reasons. First, normally the user's unlimited messaging does not include unlimited international messaging, which is the main target of these Bazuc apps. So even if you are being paid $0.001 per message, you could be shelling out $0.50 per message to your operator to text countries around the world, running up huge bills for the person who owns the phone. Also, in many cases the advertising sms being sent would be classified as spam, meaning in the worst case scenario the mobile operator will disable you mobile phone number because of the large amount of SMS spam messages being sent from your device.

How is Bazuc doing it?

Upon installation, the app sends an SMS from the device to itself. This verifies that the app (and the device) has capability to send SMS. The text of the message is the following:

BAZUC Phone Number Validation

Upon successful receipt of the message, the app then sends a registration HTTP request which contains the device phone number, country code and whether the user has given permission to send to international destinations. As a response Bazuc receives a hashed registration key back from the server. Then the app then replies with this hashed registration key (confirming receipt). After that it sends the configured daily and monthly message sending limits. The default configuration values are:

Daily 3,000 SMS
Monthly 30,000 SMS

The server sends a confirmation response and Bazuc then starts to receive candidate messages, and immediately sends these on.

Do you have any details on Bazuc network communications?

Yes, we do. Bazuc works with the following C&C: 192.241.***.***

Registration.

- Bazuc sends local phone number, MCC and whether accept sending to international or not in the following format:

http://192.241.***.***/registration?phone_number=[removed]&country_code=+1&international=true

- Servers issues a registration key which may look like this:

b9147e3ea66764******************

- Bazuc app confirms this key in the following format:

http://192.241.***.***/sms_sent_count?reg_key=b9147e3ea66764******************

- As a response server initializes count in order to calculate a payment.

- After that client uploads configuration which contains limits for sending SMS messages and account for payment in the following format:

http://192.241.***.***/user_limit?reg_key=b9147e3ea66764******************&dayLimit=3000&monthLimit=30000&paypal=victim@randomserver.com

​Sending SMS messages.

- Bazuc sends a request to C&C int the following format:

http://192.241.***.***/jobs?reg_key=b9147e3ea66764******************

- Server responds with ‘NA’ if there’s no job and if there is a job then the response will contain the following data which is going to be processed by Bazuc application:

"id":632724,"recepient":"+4475********","message":"Hi Jadr your loan app of 1000 for Personal Use has been conditionally approved. Please call 087********. Ref F********","timeStamp":1383xxxxxxxxx,"reg_key":"","status":1,"last_updated":"","user_id":"","error":"","valid":true}

- Bazuc sends this messages and sends the a confirmation back to C&C http://192.241.***.***/job_status?reg_key=b9147e3ea66764******************&status=4&job_id=632723&error=na and increments a count for a calculation.

Geography and content

Bazuc sends SMS messages with different content to different phone numbers in many countries. Here is the diagram which shows out of a sample of 54 the most popular destination countries for messages sent by Bazuc.

Most popular SMS destinations

The content of these messages may vary from country to country. We’ve seen a lot of messages containing everything from spam payday loan offers sent to UK numbers, to Russian language advertisements sent to Ukrainian numbers.

Bazuc application was available on Google Play but has been removed. It was downloaded approximately 10 thousand times before taken down.

Why should not install it? It helps me to earn money!

Bazuc won’t help you to earn a lot of money, in fact it could cost you tens of thousands of dollars, euros or pounds and cause your phone to be disconnected. If something is too good to be true, it normally is.

Authors: Denis Maslennikov, Security Analyst; Yicheng Zhou, Security Analyst

NOTE: This blog has been updated with more information on whether non-US accounts could be affected

For those of us who track mobile security developments, the recent claims of hacks within Snapchat, the popular picture sending app have been of interest. However they have just got potentially much more damaging. An unwelcome New Year's guest is a website: snapchatdb.info, that has made available the usernames and partial phone number of ~4.6 million North American Snapchat users.

While the method of how this was done, and potential motive for doing it, are covered in depth elsewhere, in the mobile security industry we are concerned on what specific negative impact this disclosure would have now. The answer is considerable, especially if the full dataset is made available.

First of all the full numbers themselves, if made available, could be used as potential targets for mobile spam attacks. As we have discussed before, lists of active mobile phone numbers are worth money within the spam industry and are sold between mobile spammers. In addition, any additional types of personalised information per number allows spammers to tailor specific spam to make it more meaningful for the target  - turning a blunt ‘standard’ spam message into a phishing attack - and thus increase the spam’s conversion rate. In this case, there is the obvious tactic of using the snapchat username, but there are also less indirect sources of information available just by appearing on this database, such as potential demographic, that could further refine any future attack.  

Secondly even the current data set made available has the potential to do harm. Though the authors obfuscate the last 2 digits, the extant numbers can be used to ‘guide’ spammers to active mobile numbers, which are not always easily known. In this particular case, from analysing the dataset, the vast majority of mobile numbers (over 92%) have been from just 6 states, namely California, Texas ,Illinois, Colorado, Florida and Massachusetts, with just a smattering from other states. The lop-sided geographic spread of the dataset made public is of some interest - the scarcity of Snapchat numbers from high population states such as Texas means that I judge it very unlikely that this truly is the 'vast majority of the Snapchat users' as the snapchatdb.info authors state (previous estimates of the userbase made this unlikely anyway) - but its practical effect is it gives spammers a guide to potentially spamming within those areas. In this case it would have been far better to obfuscate the last 4 digits of the numbers, if the authors truly wanted to minimise spam and abuse.

For a county by county view of the accounts affected, click here, (note the above maps are derived from north american phone numbering allocations, not from the location field in the SnapchatDB dataset, which is of uncertain origin.)

Finally, like any other data breach, the other obvious implication is the re-use of the usernames and numbers by hackers for other purposes, such as attempting to log in to other types of accounts. It remains to be seen what could potentially emerge from this area.

It is greatly hoped that the database is not made public or shared with mobile spammers (the snapchatdb.info website made reference of making the full database available for those who request it), but while we can hope for the best we plan for the worst. Since the database went public, we haven’t seen an anonymous increase in spam in these states, or any Snapchat-themed spam, but it is still early, and something that we will monitor with our North American mobile operator customers.

As always, protect your data, never post your phone number on a forum or group where you think it is going to be made public, and report any spam you receive to your operator.

UPDATE: 2-1-2014

I have been getting some questions and reading some interesting comments on why this breach only has North American ( actually, 99.8% US numbers). The exploit will work for non-US numbers, but it is theoretically much easier to retrieve valid with US Snapchat accounts than the rest of the world. This is because the researchers got a head start with the numbering plan in the US, something that isn’t commonly available in the rest of the world.

How the breach works is via the find_friends exploit; by submitting a group of phone numbers - if user details are returned then the phone number is a Snapchat user. However you have to start with a bunch of numbers from somewhere, and this is where the North American numbering plan really helps. Gibson security, the researchers who originally identified this vulnerability, suggest iterating through a phone number sequence like (XXX) YYY-ZZZZ, where you cycle through the Z’s. Technically the (XXX) YYY of the number above is called an NPA-NXX exchange. From AdaptiveMobile’s own research, there are roughly 160 thousand NPA-NXX exchanges in the US. However a certain percentage of these are landline only or are unallocated. This landline amount can be very hard to figure out, but one very rough estimate (see [1] below) is that 32% of these are landline, so these can be ignored. This means, that there are about 1.087 billion potential cell numbers which need to be queried, i.e.

160,000 active phone exchange x 0.68 wireless ratio x 9999 possibilities per exchange = 1.087 billion

This 1.087 billion is allocated between the 314 million US population (giving a ‘ratio’ of about 0.28 numbers per person). That means that a brute force method of cycling through the Z’s is possible, and as the breach is shown, feasible. Once you identify the local areas you want, you can cycle through the number with a fairly good expectation of success. 

Compare that with countries like the UK or Ireland. Ireland has 5 dedicated mobile codes (083, 085, 086, 087, 089), each of length 7 digits. That gives up to 50 million phone numbers, for a population of 4.6 million, meaning a potential mobile number to person ratio of 0.092. The UK has 5 dedicated codes (074, 075, 077, 078, 079) each of 8 digit length, giving potentially 500 million phone numbers, for a population of 63 million – a ratio of 0.126. Now, of course a lot of those numbers are likely to be invalid, but knowing what range is valid or not is much more difficult for these countries, not only are the odds against you, but it’s harder to know where to start when you don’t have a guide like the North American Numbering Plan to help you.

So based on this, you can see that just based on numbers alone it is roughly 2.5/3 times easier to find a Snapchat user in the US , than it is in the UK or Ireland. In addition the practical guide of using known active area codes and exchanges to find the numbers can’t be over-estimated, without it in other countries you are simply querying in the dark – this is what really makes things harder. Finally, the popularity of Snapchat varies per country, meaning that it may be harder again to find Snapchat users outside the US. Altogether it is many times harder to find a snapchat user in the UK or Ireland, but still possible.

Incidentally, I think you can actually see this logic in action in the distribution of affected users by county level. Here, it is clear that some states got heavy amount of queries (like California, Colorado), but whereas Colorado has only relatively few exchanges per the whole state, allowing the whole state to potentially be queried, in California the researchers seems to have just queried the Bay Area and Los Angeles, due to the sheer number of friends (exchanges) required to be queried.

Let’s hope that Snapchat deal with this issue quickly, so that no more friends are queried!

UPDATE 3-1-2014 13:15 GMT

The State map of affect Snapchat accounts has been updated with slightly increased counts. The previous map was generated with exchange information which did not take into account new recent exchanges allocated, meaning that some counts were slightly lower. Apologies

[1] ITU stats give 303,052,000 mobile cellular subscriptions and 140,989,000 Fixed landline numbers, for the US in 2012, this gives a (very) rough 2:1 ratio. Assuming that all numbers within assigned exchanges are allocated similarly, that means that 68% of them are wireless. Feel free to query this or suggest better values.

Snapchat's prompt statement on the massive reported increase of snapchat spam over the weekend was interesting, but not unexpected. The obvious question is whether the recent upsurge is due to the snapchat breach on New Year's day. Snapchat CEO has said that it hasn't.

In reality, it almost certainly has been affected by this, at least indirectly. The recent Snapchat breach has probably caused more people to be conscious of any Snapchat security issue, so any influx of Snapchat spam was going to be reported in much greater numbers. Plus its likely that the Snapchat spammers were at least influenced by the breach's timing, to either delay the attack until now, or to speed up the attack while perceived weaknesses are apparent. Also the sheer size of Snapchat's user base - the snapchatdb breach allows credible estimates of nearly 33 million in the US alone (estimated by multiplying 10.4% by US population) - means that there is more knowledge on the size of a very tempting target.

The question is then what to do. I have a lot of sympathy for any communication system that starts experiencing spam in large numbers. Spam of any type, once it gets established, can be difficult to eliminate without the right security mechanisms. However Snapchat's statement that spam being the feature of a quickly growing service is a curious one. While being the target of spammers is indicative of a large communications business, actually experiencing it should not be. It does not have to be accepted, and in Snapchat's case, the problem should not be insurmountable. As they operate essentially a closed system they can implement mechanisms such as filtering to deal with these centrally. Also the newness of Snapchat helps; it means that the spammers may not have invested as much in putting in place systems to send 'snapspam', therefore their barriers to exit will not be as high. It is probable that reasonably basic defenses will make an initial big difference for Snapchat.

The next step would be to make available some easier form of snapspam reporting. While helpful, this is not an end in itself as will require constant monitoring, and the nature of Snapchat spam might affect it. Reported spam can have a very poor spam-to-noise ratio (number of reported 'real' spam  to various), generally meaning reports need to be verified, this means dedicated resources. In addition, real Snapchat spam might be under-reported as well. SMS spam reporting consistently under-represents 'adult-like' messages - simply put, people do not seem to like reporting messages with adult content. This is likely to be experienced by Snapchat as well, further emphasising the need for an all-round Snapspam blocking system, relying on multiple methods, to block malicious spamsnaps.

Thankfully, there is a whole industry in place to assist Snapchat, organisations like the GSMA and M3AAWG have done a lot of work in helping dealing with spam and have the experience and expertise to advise Snapchat. It will also require a mindset and resources within Snapchat to start dealing and addressing these issues daily, not just spam but all security issues in general. That is the sign of a growing service.

Today we announced an overview of SMS Spam figures for 2013. Our headline figure was that we have seen a drop in malicious SMS spam of nearly 80%. In reality we could have used a range of figures to describe basically the result of the same thing – the essential collapse of spam being sent by mobile phones in North America over 2013. This collapse is largely due to operations over the last year that have involved us tracking, hunting and trying to take down the biggest,  most dangerous mobile spammers in North America, who we call the 'Big Five'

Preparing for the Hunt

First some context, when we refer to spam over text messages, we re-use the email industry standard of bulk & unsolicited messaging. This includes a host of malicious spam types like fake banking alerts, phishing sites, work at home scams and so on, which are sent to mobile phones randomly or in a targeted fashion. We don’t refer to text messages in which the receiver may have signed up for at some stage, for example legitimate and subscribed marketing messages, social network notifications or messages from your carrier etc. Many people can and do find that these are unwanted, but they are not generally fraudulent, and normally can be opted out of.

Second the scale, the reductions we have seen are in our wireless customer’s North American traffic, which accounts for close to half of all sms messaging within North America. Therefore the spam types are representative of what is encountered in the whole mobile environment. However the same scale of the drop may not be experienced by our non-customers. In addition as spam from mobile phones has been blocked, mobile spammers have been switching to send from different means, such as from Email to SMS gateways - and has been seen in the media - to send on other Messaging types. Spam being sent via these systems has generally not been tracked and so are still being received by subscribers. Finally mobile spam leaving or entering North America is also included, so while there is considerable spam between Canada & the US, spam to and from North America is normally not a huge percentage of total figures, meaning this did not materially affect the total output.

The Results

The above graph shows the over 100 million (103,349,587) mobile attacks that we detected and blocked during the year. We do not use estimates or subscriber reports of spam number and then take multiple of this to get at a 'true' figure, we take the real numbers. Looking at the monthly level, we can see that mobile spam blocked fell from a high of 22 million in March 2013 to 4.7 million in December 2013, this is where we get our figure of nearly 80% (1-4716490/22014229 to be exact). This roughly works out at a SMS spam rate of considerably less than 0.01% for the month of December in our customer's total SMS traffic.

You can see that the majority of mobile spam is at the start of the year, and it seems to approach a steady state towards the later part of the year. This monthly graph hides a myriad of stories however, and to give the true account of the year and why this graph looks like it does we need to look at the data at a closer level, both in time and in context. A closer time period is shown in the weekly graph below, but for context we need to take you into the mobile security jungle.

Know your Target

Mobile spam is not a random uncoordinated phenomenon, it is sent by known threat actors. These actors range from sophisticated multi-national criminal operations to small local aggressive scammers. These are the groups who our analysts monitor, track, and ultimately work against. We call this activity ‘hunting’, for obvious reason. Internally we give these groups code-names, based on type, location, and other attributes, as intelligence on these groups is key to anti-spam techniques against them - which can have a huge impact on the mobile spam ecosystem. Many of these ‘hunts’ are still on-going, and frequently we have seen these targets shift strategy or terrain to hide from us, but here we will talk about the ‘Big Five’ from 2013, and the part that hunting them played in the year.

The Big Five for 2013 are specific, high-value, targets that we have hunted and reduced spam from, completely in some cases. There are of course many other groups both in North America and worldwide that we tracked and blocked during 2013 and onwards, but the Big 5 has occupied much of our time and much of the spam you have received in the past, so these were singled out for particular attention. Note - we have not given specific examples of the message content, this is in order to preserve the secrecy of our on-going operations.

You can see from the graph below that we categorise the result of 'actions' against these groups to 3 types: Strike, Trapped & Takedown. We initiate actions against these groups all year, but these are ones of particular interest against the Big 5. Strikes are those actions which have a large impact on a spammer group, although they still retain the ability to function. One possible outcome of a Strike would be a spammer switching from sending spam from a wireless carrier to send from a VoIP carrier. Trapped is when we do an action that causes a significant  (typically >80%) reduction in spam from the group or disruption in activities. Finally Takedown is when the group is effectively terminated. Normally we can only tell what the end result of the action is weeks or even months later, and, as you can see, actions we take can often have a response from the spammer, who often step up their spamming attacks to break free.       

Phishing/US-O/LION

This type of spam was a very aggressive spammer sending huge amount of fraudulent phishing messages from tens of thousands of phone numbers to mobile phone users across the United States. Extensive intelligence gathering followed by a series of targeted takedowns in conjunction with carrier partners in mid to late February 2013 crippled its activity, causing a significant drop in sms spam in the US.

Current Status: Stuffed, they re-appear briefly but not for long periods. However there are signs that they have passed some of their techniques and experience on to other spam groups, particularly RHINO.

GiveawayScam/US-NE/LEOPARD

This highly adaptive and alert spammer was responsible for the sending of huge amount of free-giveaway scam text messages in the early part of the year. Based in the US North-East, an intensive anti-spam hunt over several days was required in order to adapt to their changing attacks, which sometimes changed in less than a minute, but eventually succeded in bringing them down in mid March, causing a huge drop in mobile spam in North America. At the height of the struggle sms spam in North America increased to over 8 million a week, driven primarily by this group's attempts to overwhelm defensive systems.

Current Status: Forced out to prowl the edges, but getting bolder. Like a true Leopard, they have changed their spots multiple times. Recently they have re-appeared, sending spam from other systems than mobile phones and are currently ‘hiding’ in less well defended areas.

Adult/US-W/PANTHER

The most sophisticated mobile spammer in operation in North America. De-centralised and highly nocturnal, at night they send a series of aggressive Adult-themed messages to targets throughout the US. Their main base is in the western part of the US but they have affiliates throughout the US. They tend to fly ‘under the radar’ of traditional mobile anti-spam defences as victims are typically reluctant to report the received messages to their carriers. A series of strikes allowed them to be trapped in the middle of October, and the last sighting of them was in mid November.

Current Status: Possibly extinct. Once they were trapped the amount of spam they sent was a fraction of what it once was, and a series of co-ordinated strikes reduced it to zero. However caution is advised as they have demonstrated considerable cunning in the past.

Marketing/US-SE/BUFFALO

Determined, aggressive and persistent. This aggressive spammers sends millions of unwanted marketing mobile spam to specific areas of the US South-East, regardless of whether someone has opted in or not. They run a less sophisticated operation than many of their fellow spammers, but make up for it in determination and brute force, sending a range of different types of marketing spam.

Current status: Disorientated. Over many months their spam has greatly lessened in volume, however vigilance is required as they could attempt to surge at any moment if they see the opportunity.

Phishing/US-SE/RHINO

A persistent, determined spammer who now share a lot of attributes with the LION group, although initially they had a greater affinity to the LEOPARD group. Based in the US South-East, they send spam nation-wide and have moved between sending carriers, when they have been forced on. They send a large variety of message types ranging from phishing scams to fake pharmaceutical offers. Recent activity has reduced their spam sending capability considerable

Current Status: Still very active, but spam reduced, and more reductions are to come.

After the Hunt

It goes without saying that a lot of the above has been achieved due to extensive co-operation in the mobile industry, to them we owe thanks, as without co-operation mobile spam would not have been reduced as much. And this is just the start – as more and more wireless carriers introduce anti-spam protection spam volumes will reduce further, plus future anti-spam legislation and legal interventions will help to make the environment in the future even less hospitable for these spammers. If earlier figures are to be believed, Mobile spam is nothing like it once was. However we must stay vigilant, other groups are still active, and new ones may arise to stake vacated territory. You can help us in the anti-spam hunt by:

• never responding to mobile spam
• never ring any number or click on any link in spam message
• tell your operator about any message you think is malicious spam

Finally - a warning:  even once taken down, spammer groups watch and probe defenses, hoping to take advantage of any perceived weakness or dropping of our guard. Another side-effect we have seen first-hand is that the sms spammer groups still active in North America have had to evolve to survive, and in doing so have become some of the most dangerous and persistent in the world.

But to paraphrase Hemingway: Certainly, there is no hunting like the hunting of spam, and those who have hunted spam long enough and liked it, never care for anything else thereafter.

*A note on January, due to changes in our stats collection we do not have data from January 2013. If we did our estimates show a very high probability that spam figures for January exceeded the spam figures for March. However we have elected to use only real message figures, not estimates.

Today we release a notice to the industry on the use and misuse of types of Growth Hacking, which I think is timely, although this story has been a long time coming. I first heard the term Growth Hacking a few weeks ago, in relation to innovative ways for technology start-ups to grow themselves, its really just the buzz term for innovative/disruptive marketing. I was mildly interested until I came across this good article describing Growth hacking in sms, and the annoyance it has. I realised then that this has another term within AdaptiveMobile, we call these messages ‘app-spam’

App-spam is when on the installation or usage of a mobile app, the app informs or requests you whether you would like to ‘communicate/share/play/something’ with some or all of your contacts in the phone book on your mobile phone. If you select yes, then sms text messages are sent to your contacts telling them that you have joined and whether they would like to join you in your new app bliss.

This sound familiar? It should, our research analysis over the last 2 weeks shows that between 5.37 ->6.8 million of these are sent and received everyday in the US alone. Not that this is a US phenomenon only, it’s being seen across the world in every country. It seems that App Growth Hacking is here in force.

However, as you can imagine, there is a dark side to this form of Growth hacking, namely depending on how the app author decide to ‘hack’. If they do it aggressively, you as the mobile phone user are in danger of being labelled a spammer, or in one extreme case we have been monitoring for the last few weeks, if they do it very badly you are in danger of participating in an accidental DDoS attack on a wireless carrier.

First of all, while the better behaved apps simply ask you who would you like to invite, the more aggressive app developer really wants you to send that invite to your friends. This means that it in their interest that you are encouraged to do this, and so they design their app to direct you to do that. If you don’t believe me, try installing one of these currently popular and trending Apps: Secrets or Glide (the Android versions), and try to not invite all your friends!. Its possible – but believe me you’re going to seriously struggle to figure it out! But if you give up and decide to go ahead, all your contacts, including business associates or those you’d rather not know you have this app are going to get the pleasure of a bulk invite from your phone or with your name. Good for the app, bad for you if you didnt want all you contacts to know you installed that app.
 

Second, depending on your luck in app choices, those invites might be coming from your phone or not. This really varies by the app and the geography. App-spam invites being sent from your phone means that the person who receives them can put a name to them, and the app marketing bet is that people would be more likely to recognise and open them. However its more problematic as it can lead to phone charges for the sender, and messages being sent from your phone can be an issue if they’re perceived as unwanted- which happens every day. That means your contacts, especially the ones you are not communicating regularly with, might consider you a spammer, as the Invite message came from your phone. This method of enabling the growth hack is generally the more common. A different method is for your invites to be sent via a dedicated SMS sending account. This tends to be more secure and traceable, however its more expensive for the app developer to maintain and so is not as common for apps at the start of their life cycle.
 

Third, the content of the App invite message sent can be so vague and in fact misleading that it can lead to further annoyance and perception that the message is spammy.  Due to the reduction in spam levels achieved in the United States and other geographies, the prominence of these has become even higher.
 

Finally, and most seriously, in some cases we have come across Apps whose implementation of Growth Hacking is so poor, that they have negatively impacted the subscriber who installed the app and the mobile network itself. In one case 2 weeks ago we had to investigate a popular social communications app that is currently ‘going viral’ in certain parts of the world. Alerted by strange behaviour we found that some devices were sending up to tens of thousands of invites to the same numbers over and over. These numbers tended to be strange numbers like ‘111’ or ‘123456789’. After investigation, we established that these users had installed an App that was very difficult to not Invite all contacts. The problem which they did not consider is that a certain percentage of people have ‘Invalid’ contacts in their phone - short numbers, names with no phone number, disconnected phones - this is common behaviour (and is used to stop ‘butt-dialing’ amongst other things). However as this App simply ‘scooped’ all the contacts it got these accounts as well. From that point things got worse as it:

• Did not check the numbers were valid
• Was configured to sent invites to all contacts repeatedly, until the App received a response saying the message was successfully sent to that contact.

As these numbers didn’t exist or were not reachable, the App simply went into a loop – resending invites over and over while the phone was switched on. All told we registered this one App installed on barely two thousand devices sent close to half a million messages (440k) over the weekend of the 25th/26th of January!. As well as causing disruption to any subscriber that installed this app – one subscriber with several invalid contacts was recorded sending 30k+ invites during the two day period – they were also putting the unknowing subscriber in danger of disconnection for looking like spammers attempting to perform a mobile DDoS-like attack on the network via SMS. In addition our concern was as this app was still growing in popularity, the effect would rise enormously and affect the mobile operator’s service.

Thankfully, we identified and dealt with the problem in conjunction with our customers, and informed the App developer (who never responded but updated the app a few days later – I assume they got the message), but the effect would not have been as bad if this app hadn’t also directed its users to invite all contacts – we also informed them on this but they did not change that part.

Growth hacking using SMS invites has been brought up before but never with a recommendation on what to do. Several months ago, AdaptiveMobile was one of the first companies to bring this to industry attention, and we are working with various mobile industry bodies to more clearly generate recommendations on how to deal with this. In the interim, mobile operators are certainly within their rights to block these types of messages and can do so. This is because they clearly fulfil the classification of spam messages: being both bulk and unsolicited (in the minds of many of the recipients), and generate dozens of complaints every day.

I hope it does not come down to that, but application developers have the responsibility to build applications which do not engage in spamming or spam-like behaviour. That means:

• Making it very clear what is being sent
• Allow the user the option to easily define who receives the invite
• Not giving the option to bulk-blasting to all contacts
• Correct implementation of message sending

The vast majority of apps are well behaved and do not generate a greater proportion of problems than ordinary communications. What we need now is an idea of Ethical Growth Hacking, to ensure that the experience of those who install the invite & those who receive it, is as equally valued as the App developer’s desire to grow their user base.

As some of you may know, Chinese operators are making great effects to stop spammers on their mobile networks, along with the help from government and regulators. As part of the efforts, a new regulation announced in September last year,  requires all new mobile network subscribers to register their phone numbers using their true identity(手机号码实名制), which makes it much easier for regulators to marshal traffic within the networks. Meanwhile, existing users also need to update their information with their operators, required by the regulation. The new regulation forces spammers to find an alternative way to send spam. For a long period of time, we have seen an interesting trend, that Chinese-targeting spammer groups are sending their spam from North American mobile networks. One of them we are monitoring, codenamed SIKA, seem to have outsourced or offshored their spam operation to the United States.

SIKA has a simple, but very effective and cost efficient structure, to operate under the radar of both Chinese and North American operators. They utilize many North American mobile phones- for which you can often get a cheap unlimited international messaging plan – as spamware ‘soldiers’ of SIKA. Spamware enables a spammer to have control over multiple devices that capable of sending SMS, and send large amount of spam traffic through these devices at the same time. Spamware is a common issue in China, along with other spamming techniques, like illegal transmission stations. However, the obvious advantages of overseas spamware compared to illegal transmission stations is you can easily escape the jurisdiction while fake stations can be busted by local law enforcement. These soldier numbers together generated large amounts of spam traffic that is sent towards subscribers inside Chinese mobile networks. Further benefit from this is no expensive international SMS from China to cross, all costs are covered by the unlimited messaging plan. These numbers are managed by Chinese command & control points that are located inside China.

Over time, we have seen hundreds of North American phone numbers that were used by SIKA. We’ve seen numbers registered from areas across US, like California, New York and Texas. On the other hand, only a few C&C addresses within China have been used to manage all these soldiers. Investigation suggested these C&C points were mainly registered in three cities from central and south of China, Shenzhen (Guangdong), Xiangtan (Hunan) and Chongqing. Interestingly, our intelligence also suggests that the owners of the soldier mobile devices in the US and the C&C addresses in China are connected via family ties, rather than pure business.

The text message spams sent to China from SIKA consist of giveaway scams, loans, selling second hand cars and massive real estate marketing campaigns. They don’t stick to one spam, but often send a few different spam campaigns at the same time. This behaviour suggests they are more likely spammer for hire (a mercenary type spammer), providing a platform for whatever is needed to be sent. One of the typical giveaway spams they were sending is:

This Spam pretends to be from a popular talent show from China Central Television (CCTV), the national TV network in China and tries to trick subscribers in China to believe they are the winner of lottery amongst all SMS voters of the talent show.

Among all the malicious traffic, real estate marking has taken a large portion of it, which we believe is more or less having a connection to the huge bubble of Chinese real estate market at the moment.

After some research, most of the spams are promoting properties in south China, like Guangdong and Hainan. As often mentioned in reports, quite a few empty houses from over developed projects exists in these areas. After looking into the recipient group, we found quite interestingly, spammers sent these market messages all over the country, especially to the north side of China, including big cities like Beijing, Jinan (Shandong), trying to lure their investments into real estate.

SIKA has generated large amount spams from North American networks over to China. During one spike, more than 70,000 people in China were affected by North American spam in less than a week, and as many as eight different spam campaigns can be active at the same day. Due to so many ‘soldiers’ they have in the network, SIKA can keep each spammer device at low volumes, hiding under the radar. Our intelligence also shows that the network often hibernates for long periods, but come active during Christmas and Chinese New Year, targeting the holiday season.

In conclusion, as a mercenary type spammer, SIKA had built a very ‘successful’ network and business model. Previously they operated under both Chinese and north American operators without been detected for a long time. We expect to see more Chinese spammers adopt this operation as a counter-strategy to the tightened domestic environment. However we have been monitoring and blocking them when detected, which should make their operation much more difficult in the future.

As well as our impressive new website, today we also took our Big Data & Security research further with an interactive visualization of text message spam in North America.Best viewed in Chrome or Firefox, this builds on our Visualizing Spam model, and reuses Google’s fantastic WebGL Globe. It shows the weekly counts of Blocked Text Message Spam being sent to and from North America during Q4 of 2013, indicating what areas have been targeted and from where.

By cycling through the weeks you can clearly see the general reduction of SMS spam being received in North America during this period. Of particular interest is that it shows you the main areas being targeted by SMS spam in North America, especially southern Florida, which received huge amount of Junk Car Spam compared to the rest of the continent. This visuals show you how much of a problem it really was, and as time goes on how it drops.

From This:

To This:

The visual also shows how the interaction of text message spam between North America and the rest of the world. When 'spam location sent' is selected, you see the locations where spam (that goes to North America) is originated from. While not as sizable as volumes within North America, there are countries which ‘export’ considerable amount of text message spam to the continent, including Guatemala and Ireland. When 'spam location received' is selected, you can see where spam that originated in North America is targeted to. In this case you can see that generally more text message spam leaves North America that enters it, the continent as a whole is a general exporter of text message spam to the rest of the world. You can also see some interesting places where it ends up during this period: such as Iraq and Mongolia.

This is part of our on-going experiments to analyse and gain insight into mobile security data. Feel free to explore and play with the visuals, while the framework was easy to reuse as the code was in place and available, it really came alive once combined with the enriched data we have. The main drawback of the model is that WebGL is not fully supported on some browsers like IE as standard - hopefully this will change in the future, but for now it works great in Chrome or Firefox . As was the case for our earlier visuals, locations within North America are calculated by using NANPA geolocation, - meaning it is not the true location, but the exchange at which the phone is registered. For worldwide locations this is calculated using the country code. This tends to make some peaks outside the US & Canada seem higher/more 'spammy' than those inside, but as the vast majority of text message spam stay within North America it probably evens out. Happy exploring!

Every day, thousands of social network, messaging and game mobile applications compete for downloads. This fierce competition has led to increasingly aggressive techniques to ‘encourage’ take up of these apps. One method which we’ve seen become an increasing issue, particularly over the last six months, is growth hacking.
Growth Hacking is a method of increasing the user base of an app, which occurs when a user-installed app requests to promote itself by notifying or inviting the user’s contact list by SMS. We first brought this to the industry’s attention back in February and in order to show the full scale of the misuse of the technique we have investigated the most active and popular social and messaging applications in North America over the last two months.

Our new report, which details the findings, found the following apps to be the most aggressive in sending SMS messages to a user’s contact list, while also making it difficult for users to opt-out:

• Glide
• Meow
• Tango
• Skout
• Pixer

In monitoring the invitations sent during this period we found that Glide sent 57% of the invites, and Tango sent 19.7%. In order of comparison, Glide sent out over 10 times more SMS invites than WhatsApp, an application with low levels of customer complaints, and made it very difficult for users to opt-out of inviting their contact list, leading to the highest number of consumer complaints. Although the Tango app allows users to easily opt out of inviting contacts when they install the app, it also includes an ‘Invite on Activity’ feature, so when a photo is taken using the app, this leads to more invites being sent, resulting in a significant number of complaints.
This issue is now being recognised by the industry, with the news on Friday that Google has made changes to their Android Developer Policy to ban apps from sending unsolicited SMS promotions. We’d advise that if an app chooses to send invites, and if this is permitted by the relevant app store and mobile operator, then it needs to make sure that safeguards are built into the design to ensure that a user can easily opt-out.

While compiling the report, we alerted all the applications identified as generating excessive invites and shared the research with Google and other industry players. We will continue to work closely with app developers, app store owners and mobile operators to reduce the amount of App-Spam being generated.

For more details on the findings and our suggestions on a code of conduct you can download the full report here: http://www.adaptivemobile.com/downloads/messaging-wars-code-of-conduct